All corporate compliance officers have the same goal: to build and operate an effective compliance program. Exactly how you do that will vary from one business to the next, depending on the unique resources and operations you have — but all compliance officers do need one other thing to succeed. You need a compliance strategy.
Most people grasp that idea at an intuitive level: you need a plan if you want to achieve your goals. The challenge is in understanding just what a compliance strategy is, and how to develop one that will actually work. Otherwise you’ll spend your days performing a lot of compliance activities, without any assurance that those efforts make a difference to your business.
So today let’s talk about compliance strategy and review some ideas for how to develop a successful one.
What Do We Mean by 'Compliance Strategy’?
The dictionary defines strategy as “a plan, method, or series of maneuvers for obtaining a specific goal.” Or, more simply — strategy is the plan you put together to use the resources you have in pursuit of the goals you want to achieve.
A compliance officer has several types of resources at his or her disposal: staff, technology, data, senior leadership, outside advisers, internal expertise. Compliance strategy is how you arrange and use those resources to maximum effect.
For example, do you want to spend boatloads on technology to govern every step of an employee’s workday? That would probably give you a highly effective compliance program, but it would be expensive and sap employee morale. Or would you rather rely on senior executives exhorting a high standard of conduct, with incentive compensation plans that encourage good behavior? Those efforts will cost less, but might not be as effective as IT governing every aspect of daily work routines.
Strategy is about choosing: you decide to pursue one course of action, rather than another. Good strategy is about choosing wisely, given the resources and constraints you have.
And compliance strategy, specifically, is about choosing certain investments and tactics rather than others, to achieve the most effective compliance program with the least amount of time, money, and labor.
Why is a Compliance Strategy So Important?
Without a strategy to pursue your objectives, you’re much more likely to get trapped responding to external events and circumstances, rather than navigating through those things to keep pursuing your goal. This is especially true in the corporate compliance world, where compliance officers are besieged with external events that threaten to distract you from your goals.
For example, you might have dreams of improving the due diligence capabilities that your compliance program has, so you can better prevent bribery schemes from happening — but in reality, you spend all your time investigating specific FCPA allegations. Which means you never have time to implement those bigger technology overhauls. This means new bribery schemes keep arising, burdening your team even more. And so forth and so on, ad nauseam.
That’s what happens to compliance programs without an effective strategy. External events (or even just other executives in the enterprise) keep intruding upon and disrupting your compliance program priorities. You end up working more, but accomplishing less.
Then you’re on a slippery slope to irrelevance. The compliance program gets sidelined, because you’re so busy doing mundane compliance tasks that you never achieve the lofty goals you had at the start. Meanwhile, your compliance team gets burned out.
That’s bad for the company, and bad for your career. So let’s consider four steps to develop a stronger, more successful compliance strategy.
Understand Your Corporate Culture & Executive Support
Begin with a frank assessment of your corporate culture and how much executive support exists for a culture of ethics and compliance.
Why? Because corporate culture is the most influential force that shapes your compliance strategy. If the workforce is generally positive about ethical conduct and has heard the right messages from senior management, and management then followed up with practical steps like incentive compensation plans that don’t pit employees against each other — that’s good. Crafting the rest of your strategy will be easier.
On the other hand, if senior management only pays lip service to the idea of ethics and compliance, the workforce probably sees compliance as a business function to be ignored or avoided. That’s bad, but at least you know that you’ll need a different strategy; perhaps one that emphasizes demonstrations of how the compliance function can help other parts of the business be more successful.
So an honest evaluation of the corporate culture and executive support, to let you understand the environment in which your compliance strategy will unfold — that’s critical.
Spend Time on Your Risk Assessment
Compliance officers also should devote as much time and attention as necessary to your risk assessment. That assessment will illuminate where your compliance program shortcomings lie, and then you’ll have a better sense of what specific tactics (more training? more technology? better policies? better people?) will help you achieve the effective compliance program you want.
That risk assessment should always include a review of the laws and regulations that impose compliance demands on your business; but even more important is an assessment of your internal operations to see how well your company is or isn’t living up to those obligations. Then you can begin to implement specific changes to improve the company’s overall compliance posture.
Embrace Automation and Technology Where You Can
The goal of your compliance strategy should be better compliance at lower overall cost to the enterprise. In that case, try to embrace automation and technology wherever you can.
First, automation is more cost efficient; it reduces the time employees spend on tedious compliance tasks (say, chasing down due diligence forms from third parties), which then lets those employees spend more time on productive tasks (making sales or drafting new policies, for example). Better technology also runs faster than manual compliance processes, and provides better documentation should you need to provide that to regulators, the board, or business partners.
Automation is a “force multiplier” for compliance. That is, even though you may spend some money now to invest in automation, the enhanced compliance capabilities you gain will lead to larger savings or more productivity over the long run.
Don’t Forget Ethics
Go back to our first point about assessing your organization’s corporate culture. Odds are it won’t be terrible, but it won’t be entirely perfect either. In that case, working to improve the ethical culture can be a huge force multiplier for compliance.
Always remember that most employees want to speak up about misconduct, because they want to work at a business that does the right thing and corrects its mistakes. Paying attention to ethics can help to foster that attitude — and then the mechanics of compliance get much easier to resolve. The conversation shifts from “Why do we have to do this at all?” to “How am I supposed to do this?” The latter is a much easier discussion for compliance officers to have.
So weave talk about ethics and core values into executive communications and training sessions. (Especially weave that discussion into training with middle managers, so that they will talk about ethics more often with employees.) Conduct workforce culture surveys, perhaps in conjunction with HR. Include questions about ethics and corporate culture in exit interviews with employees.
Always, always look for opportunities to communicate messages about ethics. An ethically-minded workforce is the most cost-efficient strategy you can employ for a successful compliance program.
Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.